CHAPTER 7. Advanced Networking Option
This chapter provides Alpha OpenVMS-specific installation information for the current release of Advanced Networking Option (ANO) for Security and Single Sign-On.
Attention: A separate license is required to use ANO.
The topics covered are as follows:
Use this section to install ANO, then see the Administrator's Guide for operating instructions. For further information about installing Oracle SQL*Net products, see the Oracle7 for Alpha OpenVMS Installation Guide.
This section details installation requirements for ANO on Alpha OpenVMS.
The topics covered in this section are:
The Advanced Networking Option for Security and Single Sign-On (ANO) is the new name for the product released earlier under the name: Secure Network Services. This release of ANO Alpha OpenVMS supports the following features:
- Encryption (to RSA and DES standards)
- Authentication (SecurID, Kerberos5, and Identix Adapters)
Attention: At this time, there is NO support for SQL*Net/DCE and Native Naming Adapters.
Version 2.3.3 of ANO Alpha OpenVMS is available on CD-ROM.
Installation Requirements
This section summarizes all the requirements necessary before installing ANO Alpha OpenVMS.
System Requirements
This section summarizes the hardware and software requirements for installing ANO Alpha OpenVMS.
See Also: Oracle7 for Alpha OpenVMS Installation Guide for complete information on hardware and software requirements for Oracle7.
Hardware:
See Chapter 1 of the Oracle7 for Alpha OpenVMS Installation Guide.
Software:
OpenVMS Version 7.1 (minimum)
Oracle Software Requirements
Table 7-1 specifies the software requirements for ANO.
| Software Requirements
| Version
| State During Installation
|
| Oracle7 Server
| 7.3.3
| Installed
|
| SQL*Net
| 2.3.3
| Installed (see Note)
|
| Note: At least one network protocol adapter must be installed.
|
|
|
Table 7 - 1. ANO Software Requirements
Server Authentication Adapter Requirements
Table 7-2 specifies the software requirements for Authentication Adapters.
| Adapter
| Requirements for ANO
|
| MIT Kerberos5
| Kerberos v5.4.2 or higher
The Kerberos authentication server must be installed on a physically secure machine
|
| SecurID
| ACE/Server v1.2.4 or higher
|
| Identix
| Identix TouchNETII (Encrypt) 1.4
|
Table 7 - 2. Software Requirements for Authentication Adapters
Note: No additional authentication adapter software is required to relink Oracle products. However, Oracle does not provide an authentication server for Kerberos5, SecurID, or Identix. You must separately install and configure the appropriate authentication server.
This section describes the steps necessary to install ANO Alpha OpenVMS.
The topics covered in this section are:
See Also: The Oracle7 for Alpha OpenVMS Installation Guide for more information about installing Oracle products using the Installer.
Note: Any reference to ANO in the following pages signifies one or more of the following options while choosing to build NETCONFIG using the Oracle Installer:
- Install SecurID Authentication Adapter
- Install Kerberos5 Authentication Adapter
- Install Identix Authentication Adapter
Installation Warning
When you install ANO, the Installer automatically relinks only the following Oracle products:
- NetConfig (lsnrctl, tnslsnr, names, namesctl)
- RDBMS (srv, imp, exp, sqlldr, ...)
If you do not wish to relink these executables, do not choose the options to install ANO.
To use other Oracle products after installing ANO, you must relink them as a separate operation.
Installation Tasks
****************
The following build option screen is displayed:
| NETCONFIG.DEF Configuration Options
|
|
| Option
| Current Value
|
|
|
|
| 1. System or Group Installation? [S/G] S
|
|
| 2. Install DECnet adapter? [Y/N] Y
|
|
| 3. Install TCP/IP adapter? [Y/N] Y
|
|
| 4. Build Oracle Names Server? [Y/N] N
|
|
| 5. Install ANO encryption? [Y/N] N
|
|
| 6. Install SecurID Authentication Adapter? [Y/N] N
|
|
| 7. Install Kerberos5 Authentication Adapter? [Y/N] N
|
|
| 8. Install Identix Authentication Adapter? [Y/N] N
|
|
|
|
|
| Enter (A)LL to select all options.
|
|
| Enter (E)XIT to exit this menu with selected options.
|
|
| Enter (Q)UIT to quit this menu with no action.
|
|
|
|
|
| Enter the number of the option that you want to change:
|
|
Options 5, 6, 7, and 8 are related to ANO.
****************
Since ANO is integrated into SQL*Net during installation, it won't be effective for all applications that use SQL*Net directly. If you have any applications that connect to the database via SQL*Net for which you would like to include Encryption/Checksumming in the connection, you need to relink these applications after installing ANO. This includes the Oracle tools, such as Reports 2.5, Forms 4.5, etc.
The list of products that are automatically relinked during ANO installation is given in the "Installation Warning" section.
****************
The Oracle Names executables are automatically relinked during the ANO build. To use ANO with Oracle Names, modify the file TNS_ADMIN:NAMES.ORA by adding an entry for the SQLNET.CRYPTO_SEED parameter. You can do this by copying the line that begins with "SQLNET.CRYPTO_SEED=" from your TNS_ADMIN:SQLNET.ORA file into your TNS_ADMIN:NAMES.ORA file.
Attention: The complete line must be copied exactly or you will not be able to start the Oracle Names Server using ANO.
****************
In the database server's local INIT.ORA file, set the following parameters:
remote_os_authent = false
os_authent_prefix = ""
For SecurID Adapter
The logical ORA_VAR_ACE should point to the directory where the configuration file SDCONF.REC is available. By default, this logical will point to the [NETWORK.ACE] directory under ORA_ROOT. If your configuration file is located somewhere else, modify the logical definition in ORA_ROOT:[NETCONFIG]SECURID_USER.COM to point to the correct directory. Make sure that the directory is readable by all Oracle Server processes.
The following file is required on the client side:
- krb.conf (configuration file that specifies the default realm of the client and maps all known realms to Key Distribution Centers (KDCs))
The following files are required on the server side:
- krb.realms (maps hostnames and domains into realms)
- v5srvtab (contains key that the KDC uses to encrypt a service ticket for the client)
The location of all of the above files MUST be specified using corresponding parameters in SQLNET.ORA.
Additionally, the SQL*Net client also creates a credential cache file whose location needs to be specified in SQLNET.ORA on the client side.
The following is an example of the parameters in SQLNET.ORA for an installation that can act as both client and server:
SQLNET.AUTHENTICATION_KERBEROS5_SERVICE=ORACLE
SQLNET.AUTHENTICATION_SERVICES = (BEQ,KERBEROS5)
SQLNET.KERBEROS5_KEYTAB = DISK:[TST7323.NETWORK.ETC]V5SRVTAB.
SQLNET.KERBEROS5_CONF = DISK:[TST7323.NETWORK.KRB5]KRB.CONF
SQLNET.KERBEROS5_REALMS = DISK:[TST7323.NETWORK.KRB5]KRB.REALMS
SQLNET.KERBEROS5_CC_NAME = DISK:[TST7323.NETWORK.CCACHE]CCFILE.DAT
The following is an example of the parameters in SQLNET.ORA for an installation that can act as both client and server when using the Identix Adapter:
SQLNET.AUTHENTICATION_SERVICES = (BEQ,IDENTIX)
SQLNET.IDENTIX_FINGERPRINT_DATABASE = <Alias for the Identix DB>
SQLNET.IDENTIX_FINGERPRINT_DATABASE_USER = OFM_CLIENT
SQLNET.IDENTIX_FINGERPRINT_DATABASE_PASSWORD = OFM_CLIENT
SQLNET.IDENTIX_FINGERPRINT_METHOD = ORACLE
This section describes the steps necessary to de-install ANO from your system.
The topics covered in this section are:
Attention: The de-install process will NOT modify any of the .ORA files under the TNS_ADMIN directory. This means that if your SQLNET.ORA file contained parameters to enable authentication or encryption, they may no longer work after the de-install. Remember to do the same actions on any of the client installs, if necessary, to retain the compatibility.
De-Installation Warning
Warning: The de-install script does NOT automatically relink any of the executables linked during ANO install. You need to use ORACLEINS to relink all of these executables.
De-Installation Tasks
****************
To prepare your system to de-install ANO, do the following:
1. Shut down all running database instances normally.
2. Shut down all SQL*Net listener processes.
3. Login as the 'oracle' software owner, for example:
Username: ORACLE7
Password: <password>
4. Run ORAUSER.COM in your UTIL directory under ORA_ROOT. This will define the symbols and logicals for your oracle installation environment.
****************
De-installing ANO does NOT result in automatic relinking of the executables that were linked during ANO install. You need to relink these using ORACLEINS.
1. At the command prompt, type:
$ ORACLEINS
2. Choose option 3 to go to the Main Menu.
3. Choose option 1 to go to the "Software Installation and Upgrade Menu".
4. Choose option 2 "Select Build Configuration Options". Then select product "NetConfig". Your previous install options are remembered by ORACLEINS.
The following build option screen is displayed:
| NETCONFIG.DEF Configuration Options
|
|
| Option
| Current Value
|
|
|
|
| 1. System or Group Installation? [S/G] S
|
|
| 2. Install DECnet adapter? [Y/N] Y
|
|
| 3. Install TCP/IP adapter? [Y/N] Y
|
|
| 4. Build Oracle Names Server? [Y/N] N
|
|
| 5. Install ANO encryption? [Y/N] N
|
|
| 6. Install SecurID Authentication Adapter? [Y/N] N
|
|
| 7. Install Kerberos5 Authentication Adapter? [Y/N] N
|
|
| 8. Install Identix Authentication Adapter? [Y/N] N
|
|
|
|
|
| Enter (A)LL to select all options.
|
|
| Enter (E)XIT to exit this menu with selected options.
|
|
| Enter (Q)UIT to quit this menu with no action.
|
|
|
|
|
| Enter the number of the option that you want to change:
|
|
Options 5, 6, 7, and 8 are related to ANO. Choose N for the options that you want to de-install.
5. Exit back to the "Software Installation and Upgrade Menu" and choose option 4 to build the selected products. This causes the following products to be be relinked:
- NetConfig (lsnrctl, tnslsnr, names, namesctl, ...)
- RDBMS (srv, imp, exp, sqlldr, ...)
Note: De-install does NOT relink any other applications using SQL*Net. All such applications, including for example, Oracle Tools such as Reports 2.5 and Forms 4.5, must be relinked either through ORACLEINS, if possible, or manually.
The usage notes are categorized into the following areas.
General Information
Include the following line in your LISTENER.ORA file:
SQLNET.AUTHENTICATION_SERVICES=(NONE)
The listener should not participate in the authentication service.
It is recommended that you always include BEQ as one of the authentication services in your SQLNET.ORA file. Here is an example:
SQLNET.AUTHENTICATION_SERVICES=(BEQ,KERBEROS5)
In this way, connections within the Server machine through the default bequeath adapter do not have to go through the authentication. This is especially important during database startups and shutdowns.
SecurID
If you expect excessive delays in your relink to access the ACE server from your client machine, use the following syntax to connect to the database, for example:
$ SQLPLUS USERNAME/"<nnnn><pppppp>+<qqqqqq>"@DATABASE
where:
<nnnn> is the PIN number of your SecurID card.
<pppppp> and <qqqqqq> are two successive codes displayed on the card.
Kerberos5
1. Make sure that the clock skew between the client machine and the machine running the KDC is less than one minute.
2. Oracle client and server processes use the Coordinated Universal Time (UTC) format (time elapsed since 00:00:00 Jan. 1, 1970 in records). Make sure that your system is set to the correct time zone in terms of deviation from Greenwich Mean Time (GMT). Otherwise you will get the error "Clock skew too great" in your SQL*Net trace file.
3. Make sure that the value of the parameter SQLNET.AUTHENTICATION_KERBEROS5_SERVICE that you specify in SQLNET.ORA matches exactly, including case, with the value specified in the KDC.
Identix (Biometric)
Make sure that the alias that you are using in the SQLNET.IDENTIX_FINGERPRINT_DATABASE parameter is in the TNSNAMES.ORA file on the server side. This alias in the TNSNAMES.ORA file should contain the line:
(security=(authentication_service=none))